You (Probably) Heard It Here First: AntiForensics

Posted on by

Crime and war have a lot in common. The good guys and the bad guys are in a constant battle of escalation, each trying to adapt to and surpass each other’s latest techniques.

On the information technology front, one of the fundamental techniques in investigating crime (both the hacker perpetrated sort and routine investigations of computers) is what is called forensics: techniques and programs designed to find out what was done with and to a computer when. But those investigative tools are being thwarted. As “How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab.” in CIO Magazine puts it:

Computer crime has shifted from a game of disruption to one of access. The hacker’s focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.

This development came about in large measure because antiforensics software and techniques used to be limited to Unix, which required a high level of programming skill. Now they are available on Windows, which is a low-security environment to begin with (unlike Unix, it is impossible to make Windows machines fully secure). Suddenly the bar has been lowered to covering one’s electronic tracks. That means that hackers can now use very crude techniques to gain entry, ones they would never have dared use before because it would be too easy to get caught. And another effect of lowering the skill level needed to hack with impunity is you can recruit from a much broader pool of IT types. This is heaven for the Russian mob, which is one of the leading if not the leading player in credit card fraud.

So credit card and identity fraud are not only not going away, but they are likely to get worse before they get better. No wonder financial companies are fighting to avoid being made liable in the event of identity fraud.

Yet the ultimate culprit is Windows, and as security problems become more evident, it will encourage more businesses to move away from Windows to either Linux or Apple, both of which are based on the rock solid and highly secure Unix. Linux requires no operating system license, and a typical installation needs 1/10 as many IT professionals as Windows. Yet corporations are afraid to switch (not hard to understand why, Windows is a full employment act for IT departments).

The other reason for discussing antiforensics is readers should be aware that evidence of computer activity, which most people regard as incontrovertable, is in fact rubbish. The CIO article quotes Vincent Liu, who has developed antiforensic tools and feels he has good reasons for doing so:

For any case that relies on digital forensic evidence, Liu says, “It would be a cakewalk to come in and blow the case up. I can take any machine and make it look guilty, or not guilty. Whatever I want.”

Liu’s goal is no less than to upend a legal precedent called the presumption of reliability. In a paper that appeared in the Journal of Digital Forensic Practice, Liu and coauthor Eric Van Buskirk flout the U.S. courts’ faith in digital forensic evidence. Liu and Van Buskirk cite a litany of cases that established, as one judge put it, computer records’ “prima facie aura of reliability.” One decision even said computer records were “uniquely reliable in that they were computer-generated rather than the result of human entries.” Liu and Van Buskirk take exception. The “unfortunate truth” they conclude, is that the presumption of reliability is “unjustified” and the justice system is “not sufficiently skeptical of that which is offered up as proof.”

Something to keep in mind if you are ever in the unfortunate position of having the authorities sieze your computer.

The article is only mildly geeky and very much worth reading.

Print Friendly, PDF & Email